Linux for Network Engineers: How to get Socket Statistics Information with ss

Information around sockets on a Linux system is often used to troubleshoot network and connectivity issues, as well as evaluate the health of a Linux host. There are a few ways to extract that information and in this post we’ll review how to use the “ss” utility.

“ss” stands for socket statistics. It’s very similar to the netstat utility.

It’s part of the iproute package, and you can install it with “apt-get install iproute.”

Established Sockets

By typing “ss,” without any options you’ll get all sockets that have established connections.

1

2

3

netbeez.net$ss

State Recv-QSend-QLocal Address:Port Peer Address:Port

ESTAB0240172.31.0.14:ssh172.30.10.202:51831

On this host there is just one established TCP connection which corresponds to an ssh session. As you can see, ss made the translation and instead of showing port 22 (172.310.14:22), it shows ssh as the service that is using that port.

Display Numeric Values

If you want to see the actual numeric values without any translation use the “-n” option:

1

2

3

netbeez.net$ss-n

State Recv-QSend-QLocal Address:Port Peer Address:Port

ESTAB0240172.31.0.14:22172.30.10.202:51831

Listening Sockets

If you want to see a list of listening sockets, add the “-l” option:

1

2

3

netbeez.net$ss-l

State Recv-QSend-QLocal Address:Port Peer Address:Port

LISTEN0128*:ssh *:*

UDP Sockets

By default, ss shows only established connections, and since UDP sockets are connectionless we have to explicitly ask ss to show UDP socket statistics with the “-a” (all) and “-u” (UDP) options:

1

2

3

4

5

6

netbeez.net$ss-ua

State Recv-QSend-QLocal Address:Port Peer Address:Port

UNCONN00172.31.0.255:ntp *:*

UNCONN00172.31.0.14:ntp *:*

UNCONN00127.0.0.1:ntp *:*

UNCONN00*:ntp *:*

Display Processes

To display the process that is using a socket enter the “-p” option:

1

2

3

netbeez.net$ss-p

State Recv-QSend-QLocal Address:Port Peer Address:Port

ESTAB0240172.31.0.14:ssh172.30.10.202:51831users:(("sshd",13548,3))

In this example, sshd is the process that is running the ssh service, and its process id is 13548.

Filter by State

“ss” gives you ability to filter ports by the status of the socket with the “state” keyword as follows:

1

2

3

netbeez.net$ss state established

Recv-QSend-QLocal Address:Port Peer Address:Port

0240172.31.0.14:ssh172.30.10.202:51831

Of course, you can use several other state filters such as sync-sent, closed, etc.

Filter by port

To see which UDP sockets use port 153, I can use the “sport” (source port) filter

1

2

3

4

5

6

netbeez.net$ss-au sport=:123

State Recv-QSend-QLocal Address:Port Peer Address:Port

UNCONN00172.31.0.255:ntp *:*

UNCONN00172.31.0.14:ntp *:*

UNCONN00127.0.0.1:ntp *:*

UNCONN00*:ntp *:*

Filter by port range

If you want to display specific port ranges, you can use “comparative operators,” such as, greater than or less than. Here is an example that displays sockets that use ports with values greater than 100:

1

2

3

4

5

6

netbeez.net$ss-taun sport gt:100

Netid State Recv-QSend-QLocal Address:Port Peer Address:Port

udp UNCONN00172.31.0.255:123*:*

udp UNCONN00172.31.0.14:123*:*

udp UNCONN00127.0.0.1:123*:*

udp UNCONN00*:123*:*

Summary Statistics

Finally, to get a summary of the socket statistics on a host use the “-s” option as follows:

1

2

3

4

5

6

7

8

9

10

11

netbeez.net$ss-s

Total:43(kernel0)

TCP:2(estab1,closed0,orphaned0,synrecv0,timewait0/0),ports0

Transport Total IP IPv6

*0--

RAW000

UDP440

TCP220

INET660

FRAG000

If you want to get all the details and available options of ss you can look at the manual of the command with “man ss.”